1 . (currently amended) A computer-implemented method for controlling controling 
access to documents during a workflow, comprising: 

upon entry of a base document into a workflow, creating a working copy of the base 
document; 

selectively providing a user access to eithe? the base document or th e working copy of th e 
bas e docum e nt depending upon the identity of a user; 

selectively providing a user access to the working copy of the base document depending 
upon the identity of a user; and 

if a user is provided access to the working copy of the base document, selectively 
providing access to perform operations on the working copy of the base document depending 
upon the identity of a user. 

2. (original) The method of claim 1, further comprising: 

storing access control list data in relation to the base document, the access control list 
data defining access controls on performing operations of the working copy of the base 
document; and 

storing security descriptor data in relation to the base document and the working copy of 
the base document, the security descriptor data defining access controls on reading the base 
document and the working copy of the base document. 

3. (currently amended) The method of claim 2, wherein the st e p of selectively 
providing access to perform operations on the working copy of the base document depending 
upon the identity of a user, furth e r comprises: 
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determining using the access control list data stored in relation to the base document that 
a user has permission to perform an operation on the copy of the base document; and 
allowing the user to perform the operation on the copy of the base document. 



4. (currently amended) The method of claim 2, wherein the step of selectively 
providing access to perform operations on the working copy of the base document depending 
upon the identity of a user, furth e r comprises: 

determining using the access control list data stored in relation to the base document that 
a user does not have permission to perform an operation on the copy of the base document; and 
denying the user access to perform the operation on the copy of the base document. 

5. (currently amended) The method of claim 2, wherein the access control list data 
comprises information identifying for each of a plurality of operations, the set of users that have 
permission to perform the operation, and said act of selectively providing access to perform 
operations on the working copy of the base document depending upon the identity of a user, 
furth e r comprises: 

referencing the information identifying for each of a plurality of operations, the 
set of users that have permission to perform the operation; and 

if the user is in the set of users that have permission to perform the operation, 
providing access to the operation. 

6. (currently amended) The method of claim 2, wherein the access control list data 
comprises information identifying for each of a plurality of operations, the set of users that have 
permission to perform the operation, and said act of selectively providing access to perform 
operations on the working copy of the base document depending upon the identity of a user, 
furth e r comprises: 

referencing the information identifying for each of a plurality of operations, the 
set of users that have permission to perform the operation; and 
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- - if the user is not in the set of users that have permission to perform "the operation, 

denying access to the operation. 



7. (currently amended) The method of claim 5, wherein the set of users are defined 
in terms of the roles that have permission to perform the operation, and said act of referencing 
the information identifying for each of a plurality of operations, the set of users that have 
permission to perform the operation, furth e r comprises: 

resolving for the user the set of roles to which the user has been assigned; and 
determining using the set of roles to which the user has been assigned and the set 

of users defined in terms of the roles that have permission to perform the operation, whether the 

user has permission to perform the requested operation. 

8. (currently amended) The method of claim 2, wherein th e step of selectively 
providing a user access to e ith e r th e bas e docum e nt or the working copy of the base document 
depending upon the identity of a user, furth e r comprises: 

determining using the security descriptor data stored in relation to the base document and 
the working copy document, that a user has permission to read the working copy of the base 
document; and 

providing the user access to the working copy of the base document. 

9. (currently amended) The method of claim 2, wherein th e st e p of selectively 
providing a user access to e ith e r th e bas e document or the working copy of the base document 
depending upon the identity of a user, furth e r comprises: 

determining using the security descriptor data stored in relation to the base document and 
the working copy document, that a user does not have permission to read the working copy of the 
base document; and 

denying the user access to the working copy of the base document. 
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10. (currently amended) - The method of claim 2, wherein the security descriptor data 
comprises information identifying the set of users that have permission to read each of the base 
document and the working copy of the base document, and said act of selectively providing 
access to e ith e r th e base docum e nt or the working copy of the base document docum e nts 
depending on the identity of the user, furth e r comprises: 

referencing the information identifying the set of users that have permission to 
read each of the base document and the working copy of the base document; and 

if the user is in the set of users that have permission to read the working copy of 
the base document, providing access to the working copy of the base document. 

11. (currently amended) The method of claim 10, wherein the set of users are 
defined in terms of the roles that have permission to read each of the base document and the 
working copy of the base document, and said act of referencing the information identifying the 
set of users that have permission to read each of the base document and the working copy of the 
base document, furth e r comprises: 

resolving for the user the set of roles to which the user has been assigned; and 
determining using the set of roles to which the user has been assigned and the set 
of us e r d e fined in t e rms of th e roles that have permission to read each of the base document and 
the working copy of the base document, whether the user has permission to read the base 
document or the working copy of the base document. 

12. (original) A computer-readable media having stored thereon computer-executable 
instructions for performing the steps recited in claim 1 . 

13. (currently amended) A system for providing document isolation in a workflow 
environment, comprising: 

a processor, wherein said processor is operable to execute instructions for performing the 
following acts: 
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" maintaining for a base document undergoing a publishing workflow, a copy of tHe 
base document; 

maintaining access control data in relation to the base document and the copy of 
the base document; aad 

upon receipt of a request to access the base document, selectively determining 
based on the access control data to provide access to e ith e r the base document or th e copy of th e 
base docum e nt ; and 

upon receipt of a request to access the base document, selectively determining based on 
the access control data to provide access to the copy of the base document . 

14. (original) The system of claim 13, wherein the access control data comprises 
security descriptor data identifying the set of users that have permission to read the base 
document and the copy of the base document. 

15. (currently amended) The system of claim 14, wherein said processor is operable 
to execute instructions for performing the following furth e r acts: 

referencing the security descriptor data; and 

determining that a user should be directed to the copy of the base document based 
on the security descriptor data. 

16. (currently amended) The system of claim 15, wherein the security descriptor 
data identifies a set of roles corresponding to the set of users that have permission to read the 
base document and the copy of the base document, and wherein said processor is operable to 
execute instructions for performing the furth e r act of determining the set of roles that a user has 
been assigned. 
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17. (original) The system of claim 13, wherein the access control data comprises access" 

control list data identifying the set of users that have permission to perform operations on the 
copy of the base document. 

18. (currently amended) The system of claim 17, wherein said processor is operable 
to execute instructions for performing the following furth e r acts: 

referencing the access control list data; and 

determining that a user should be allowed to perform an operation on the copy of 
the base document based on the access control list data. 

19. (currently amended) The system of claim 18, wherein the access control list data 
identifies a set of roles corresponding to the set of users that have permission to perform 
operations on the copy of the base document, and wherein said processor is operable to execute 
instructions for performing the furth e r act of determining the set of roles that a user has been 
assigned. 

20. (currently amended) A method for controlling access to operations that may be 
performed on a document, of updating acc e ss controls to r e fl e ct th e addition of a n e w op e ration 
that may b e p e rform e d on a copy of a bas e docum e nt, in a syst e m wh e r e in acc e ss to op e rations to 
b e p e rform e d on a copy of the base document are controlod using an access control list which 
id e ntifi e s th e op e rations that may b e p e rform e d and th e rol e s that a us e r must hav e to access 
thos e operations, comprising: 

upon creation of a workflow, creating a copy of a base document; 

receiving a request to create a new operation that may be performed on the copy 
of the base document; 

assigning a unique identifier to the new operation that may b e p e rform e d on a 
copy of a bas e docum e nt ; 
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updating an the access control list to include an entry for the unique identifier for 

the new operation; and 

updating the access control list to include an entry identifying the roles that have 
access to the new operation. 

21 . (new) The method of claim 20, further comprising updating the access control 
list to change roles that have access to the new operation in response to a change in the state 
occupied by the working copy of the document in the workflow. 

22. (new) The method of claim 20, wherein the workflow is a publishing workflow 
and the new operation is at least one of the following: review and approve. 

23. (new) The method of claim 20, further comprising: 

receiving a request to perform the new operation on the copy of the base document; 
determining using the access control list whether to allow access to the new operation. 

24. (new) The method of claim 23, wherein determining using the access control list 
whether to allow access to the new operation comprises comparing a user's roles with the roles 
identified in the access control list as having access to the new operation. 

25. (new) A computer-implemented method of controlling access to documents, 
comprising: 

maintaining a first list defining who may access a base document; 

maintaining a second list defining who may perform operations on the base document; 

upon receipt of a request from a user to create a workflow, accessing the first list and the 
second list to determine whether the user may create a workflow relating to the base document; 

if the first list and the second list indicate the user may create a workflow relating to the 
base document, creating a copy of the base document; and 
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while the copy of the base document is in the workflow, in response to requests to access 

the base document, accessing at least the first list to determine whether to provide access to the 
copy of the base document. 

26. (new) The method of claim 25, wherein maintaining a first list defining who may 
access a base document comprises maintaining a list of security descriptors. 

27. (new) The method of claim 25, wherein maintaining a second list defining who 
may perform operations on the base document comprises maintaining an access control list. 

28. (new) The method of claim 25, further comprising updating the second list upon 
creation of the copy of the base document to identify who may perform operations on the copy of 
the base document. 

29. (new) The method of claim 25, wherein maintaining a first list defining who may 
access a base document comprises maintaining a first list defining roles that may access a base 
document. 



30. (new) The method of claim 25, further comprising maintaining a third list 
defining who may access the copy of the base document. 
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